Spam that delivers a pink slip

New trick lures worried employees to visit malicious site.

Last week, a handful of employees at Dekalb Medical Center in Decatur, Ga., received e-mails saying they were being laid off. The subject line read “Urgent – employment issue,” and the sender listed on the message was at dekalb.org, which is the domain the medical center uses. The e-mail contained a link to a Web site that claimed to offer career-counseling information.

And so a few employees, concerned about their employment status and no doubt miffed about being laid off via e-mail, clicked on the link to learn more and unwittingly downloaded a keylogger program that was lurking at the site.

Score another one for spammers.

Called targeted spam or spear phishing, this type of spam that’s currently on the rise is particularly vexing because the spammer is able to “spoof” the sending e-mail address to make it look like it’s coming from within the organization of the recipient, making it difficult for spam filters to catch. And, unlike traditional spam that is sent in the thousands, spammers are sending just handfuls of these messages at a time, again making it difficult for antispam technology to detect.

“We blocked a ton of spam at our e-mail gateway because the [sender] addresses are not valid, but these were,” says Sharon Finney, information security administrator at Dekalb Medical Center that has 3,500 employees.

The IT department at the medical center found out about the scam when an employee in the HR department, who had received a frantic call from one of the scam’s recipients, called the company’s CIO. The first thing the IT department did was to set its Web filtering software to block all users from visiting the site linked to in the spam, says Finney.

Then Finney got on the phone with Proofpoint, the company’s messaging security vendor, which used its automatic update service to add a rule to its customers’ antispam filters that blocked e-mails containing the same link in attempts to protect others from the scam. Although these e-mails are highly targeted to their recipients and are sent in trickles instead of blasts, they’re becoming more and common.

“I don’t think we were the only ones targeted by this, I’ve talked to other local hospitals and they’ve gotten it, too,” says Finney. “It’s going to get ugly. Spammers are going to get stealthier and more targeted – these recent e-mails had terminology specific to healthcare, so they knew we are a hospital.”

Officials with Proofpoint, Dekalb Medical Center’s messaging security vendor, agree that targeted spam is on the rise.

“We’re seeing this more and more, typically either in large organizations or with very well-known brands,” says Rami Habal, director of product marketing with Proofpoint. Once the company has been alerted to the scam, blocking it is easy. But detecting such well-crafted messages is becoming harder as the sophistication level of spam increases; gone are the days of simply filtering for the word "Viagra".

There are ways to detect even well-written fraudulent e-mails, says Habal.

“Our technology looks for clues in the message, even though it might look like it’s perfectly formed, there might be ways that the HTML was written that alerts the system that it’s suspicious,” says Habal. Another way is by using sender-authentication technology that can check if a message really comes from the domain it claims to, although Habal adds that since not all organizations are using sender authentication that approach isn’t perfect.

But in this case, the spam slipped by Proofpoint’s filters unnoticed, and two PCs at Dekalb were infected with the keylogger program. The IT department spent roughly two hours cleaning them up.

Proofpoint’s technology catches so much spam that Finney isn’t fazed by these few that slipped by. However, she is concerned that the nature of spam is changing, making it more dangerous and harder to catch.

“Spam is something that is such a cheap method of intrusion, I think in the long term ... spam … is going to get stealthier and more targeted, and the payload is going to be more about gathering information” than selling products, she says. “The more targeted spam becomes and the more specific to each industry, the harder it’s going to be for [antispam] companies to detect it.”

Learn more about this topic

Taming the ever-evolving phish risk

Survey: More phishing suckers out there than we thought

Proofpoint gets tougher against spam, viruses

Join the discussion
Be the first to comment on this article. Our Commenting Policies